Re: [Qemu-devel] [PATCH] seccomp: adding a second whitelist

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Paul Moore <pmoore@redhat.com>
To: Stefan Hajnoczi <stefanha@gmail.com>
Cc: Corey Bryant <coreyb@linux.vnet.ibm.com>,
	wad@chromium.org, qemu-devel <qemu-devel@nongnu.org>,
	Eduardo Otubo <otubo@linux.vnet.ibm.com>
Subject: Re: [Qemu-devel] [PATCH] seccomp: adding a second whitelist
Date: Fri, 30 Aug 2013 11:42:34 -0400	[thread overview]
Message-ID: <5324254.5TBDVHLJVV@sifl> (raw)
In-Reply-To: <CAJSP0QUfkSOujKBmSqwa8mp-BXTy8h-kvo8Fyc6_htKJBj938g@mail.gmail.com>

On Friday, August 30, 2013 05:23:45 PM Stefan Hajnoczi wrote:
> On Fri, Aug 30, 2013 at 4:21 PM, Eduardo Otubo <otubo@linux.vnet.ibm.com> 
wrote:
> > On 08/29/2013 05:34 AM, Stefan Hajnoczi wrote:
> >> On Wed, Aug 28, 2013 at 10:04:32PM -0300, Eduardo Otubo wrote:
> >>> Now there's a second whitelist, right before the vcpu starts. The second
> >>> whitelist is the same as the first one, except for exec() and select().
> >> 
> >> -netdev tap,downscript=/path/to/script requires exec() in the QEMU
> >> shutdown code path.  Will this work with seccomp?
> > 
> > I actually don't know, but I'll test that as well. Can you run a test with
> > this patch and -netdev? I mean, if you're pointing that out you might have
> > a scenario already setup, right?
> 
> I'm not having much luck running qemu.git/master with CONFIG_SECCOMP
> on Fedora 19.  The GTK UI opens but I don't see the guest's display.
> 
> $ x86_64-softmmu/qemu-system-x86_64
> [...GTK UI opens but QEMU is hung...]
> 
> strace shows the process is hung somehow and ps says it's <defunct>
> although it never exited.
> 
> $ sudo cat /proc/5912/stack
> [<ffffffff81061fda>] do_exit+0x6ca/0xa20
> [<ffffffff810ef090>] __secure_computing+0xe0/0x240
> [<ffffffff8101d722>] syscall_trace_enter+0x172/0x230
> [<ffffffff816478c8>] tracesys+0x7e/0xe2
> [<ffffffffffffffff>] 0xffffffffffffffff
> 
> Okay, so seccomp killed the process.
> 
> $ sudo cat /proc/5912/syscall
> 29 0x0 0x1000 0x380 0x7fffbeb49380 0x0 0x0 0x7fffbeb495b8 0x7f6b72402657
> 
> $ git grep '\<29\>' arch/x86/include/generated/uapi/asm/unistd_64.h
> #define __NR_shmget 29
> 
> Now it needs syscall 30.  I guess the whitelist is only designed for a
> specific invocation that you are testing?

For future reference, it doesn't need to be that hard to identify when seccomp 
has killed a process.  If you're running audit go ahead and check the audit 
log:

 # ausearch -m SECCOMP
 ----
 time->Fri Aug 30 11:37:46 2013
 type=SECCOMP msg=audit(1377877066.414:64): auid=0 uid=0 gid=0 ses=1
 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=3787
 comm="20-live-basic_d" sig=31 syscall=2 compat=0 ip=0x3a27ae6570 code=0x0

... and notice the 'syscall' field which in this case happens to be '2'.  If 
you have the 'scmp_sys_resolver' tool installed on your system (libseccomp-
devel >= 2.1.0 on Fedora) you can then resolve the syscall number:

 # scmp_sys_resolver 2
 open

It is also worth mentioning that while scmp_sys_resolver resolves syscalls for 
the native architecture by default, it can resolve for any of the 
architectures that libseccomp supports, see the manpage for details 
(currently: x86, x86_64, x32, and arm).

-- 
paul moore
security and virtualization @ redhat

next prev parent reply	other threads:[~2013-08-30 15:42 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-08-29  1:04 [Qemu-devel] [PATCH] seccomp: adding a second whitelist Eduardo Otubo
2013-08-29  8:34 ` Stefan Hajnoczi
2013-08-29  8:56   ` Paolo Bonzini
2013-08-30 14:22     ` Eduardo Otubo
2013-08-30 14:21   ` Eduardo Otubo
2013-08-30 15:23     ` Stefan Hajnoczi
2013-08-30 15:42       ` Paul Moore [this message]
2013-09-02  9:05         ` Stefan Hajnoczi
2013-09-03 18:02     ` Corey Bryant
2013-09-03 18:08       ` Corey Bryant
2013-09-03 18:21         ` Paul Moore
2013-09-03 18:23           ` Corey Bryant
2013-09-03 20:07           ` Eduardo Otubo
2013-09-03 21:49             ` Paul Moore
2013-09-03 20:05       ` Eduardo Otubo
2013-09-03 21:08         ` Corey Bryant
2013-08-29 12:56 ` Paul Moore
2013-08-30 14:27   ` Eduardo Otubo
2013-08-30 15:32     ` Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5324254.5TBDVHLJVV@sifl \
    --to=pmoore@redhat.com \
    --cc=coreyb@linux.vnet.ibm.com \
    --cc=otubo@linux.vnet.ibm.com \
    --cc=qemu-devel@nongnu.org \
    --cc=stefanha@gmail.com \
    --cc=wad@chromium.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.